VAPT Services in Delhi · Government, PSU & Ministry

Delhi VAPT is overwhelmingly a government and PSU procurement story — and the Indian central-government cybersecurity buyer is a fundamentally different customer from a private-sector BFSI buyer. Tendering routes through GeM (Government e-Marketplace), the Central Public Procurement Portal (CPPP) or the Defence e-Procurement portal where applicable. The buyer asks for a CERT-In empanelled vendor letter, the latest empanelment certificate, a GeM-listed vendor seller-ID, the ISO 27001:2022 and ISO 9001:2015 certificates, and a list of comparable central-government and PSU engagement experience. Macksofy carries all of these and has delivered VAPT engagements to central-government departments, public-sector banks, defence-adjacent organisations and Aadhaar ecosystem actors.

Central-government VAPT scoping has its own shape. The asset inventory typically includes a citizen-facing portal (often hosted at *.gov.in, sometimes at *.nic.in for NIC-hosted workloads), a Bhashini-translated regional-language frontend, a Bharat-Aadhaar-authentication layer (AUA / KUA for Aadhaar-enabled identity verification, DigiLocker integration, eKYC API consumption), an API-gateway-of-India (APIGW) layer for inter-ministry data exchange, and a back-office mainframe or commercial-banking platform behind it. We map each component to its specific MeitY / CERT-In control set and crosswalk to the National Cyber Security Coordinator (NCSC) office's expectations where applicable.

The Bharat / Aadhaar / DigiLocker / API-gateway-of-India scope is unique to Delhi and a Macksofy strength. Aadhaar-AUA / KUA VAPT requires UIDAI-aligned testing methodology — biometric-replay resistance, e-KYC consent-flow integrity, virtual-ID handling, the authentication-API rate-limit and the audit-log evidence requirement under the Aadhaar Authentication Regulations 2016 (as amended 2024). DigiLocker integration testing checks the OAuth scope handling against MeitY's DigiLocker partner-onboarding checklist. APIGW-of-India testing checks the inter-ministry consent-and-purpose-binding layer that MeitY rolled out under the Digital India ecosystem.

PSU bank VAPT in Delhi is a hybrid — RBI's regulatory expectations (Cyber Security Framework, MD-ITGRC) combined with the Department of Financial Services (DFS) circular cadence and the Comptroller and Auditor General of India (CAG) audit overlay. PSU banks are unusual because the IT estate is heterogeneous (Finacle and BaNCS coexisting, legacy mainframe-RACF still in production, branch-network spread across 4,000-15,000 nodes), the procurement cycle is long, and the audit-committee oversight is split between the bank's board and the DFS as the majority shareholder. We size proposals accordingly — fixed-fee SoW with explicit milestone-based payments tied to CAG audit cycles, and a separate inspection-defence retainer for the DFS / RBI thematic-review cycle.

Defence-adjacent and ministry-adjacent VAPT engagements have additional handling requirements — sometimes a security-clearance-equivalent for senior consultants, sometimes a no-cloud-data-transfer clause, sometimes an Indian-passport-only consultant requirement, and almost always an Indian-soil-data-residency requirement that we honour by default. Macksofy maintains an Indian-soil-only delivery option (no foreign-soil data egress) for these engagements, with attestation that satisfies the procuring department's information-security policy.

Delhi-NCR fintech VAPT is the second buyer segment — different methodology, same firm. Delhi-NCR (especially the Connaught Place / Karol Bagh / Saket / South Extension corridor and the parts of Gurugram and Noida that fall under 'Delhi' in informal procurement language) hosts a layer of fintech, lending, payments and BNPL operators that buy VAPT under RBI master directions. The methodology is the same as our Mumbai BFSI VAPT — the difference is procurement (faster, CTO-and-AppSec-lead signoff) and onsite cadence (Connaught Place walk-in, Karol Bagh / Saket inside two hours, Noida and Gurugram via the Yamuna Expressway or DND).

GeM tendering reality matters. Most central-government engagements close via GeM's reverse auction or BoQ-based bidding. Pricing transparency, the GeM seller-ID, the empanelment certificate and the comparable engagement experience are the four levers that decide the L1 outcome. Macksofy maintains a Delhi-resident bid-desk for active GeM tender response within the portal's 7-21 day windows. Procurement on PSU engagements is slower (3-6 months from RFP to PO) but the engagement length is longer (12-18 months from initial VAPT to follow-on retest cycles) so the lifetime value of a PSU-bank or ministry relationship is high.

Onsite cadence is dictated by Delhi geography. Connaught Place, ITO and the central-government secretariat belt are walk-in same day from Aerocity. Saket, South Extension and the ministry-adjacent zones inside the ring road are within 90 minutes. Noida (Sectors 16, 18, 62) and Greater Noida are via Yamuna Expressway in 60-90 minutes. Gurugram (Cyber City, DLF) is via NH-48 in 60-75 minutes. PSU bank head-office visits in Connaught Place or Bhavan-area secretariat addresses are walk-in. For multi-quarter ministry engagements we maintain a Delhi-resident lead consultant.